On 2015-05-06 1:08 PM, Anne van Kesteren wrote:
On Wed, May 6, 2015 at 7:02 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
* Restricting this API to resources loaded from a secure origin also doesn't
help in any way in practice. It doesn't address your original concern _at
all_ (since your malicious web site can easily get a certificate and perform
the same annoying operation), and a potential network attacker MITMing your
connection can inject a tiny Flash object and script it. It will be a few
more lines of code for the attacker to write, and they would get a pretty
solid attack for the majority of desktop users, at least.
Flash will go away (to the extent it hasn't already on mobile), this
feature won't. We should offer better security than what came before.
Sure, but this argument doesn't really work in the present tense where
Flash has actually not gone away, and is _the_ standard way for copying
text to the clipboard.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
